MEMORANDUM. Comments on the Updating of the LSC Risk Management Program

Transcription

1 Office of Inspector General Legal Services Corporation 3333 K Street, NW. 3rd Floor Washington, DC (p) (f) MEMORANDUM TO: FROM: LSC Audit Committee Jim J. Sandman, President Ronald S. Flagg, Vice President & General Counsel David Richardson, Treasurer and co,~)td;j. n.).-x.j,y (7, Jeffrey E. Schanz, Inspector Generf~ C. DATE: July 19, 2013 U SUBJECT: Comments on the Updating of the LSC Risk Management Program Introduction: The purpose of this memorandum is to provide the Office of Inspector General (OIG) comments on the updating of the LSC Risk Management Program (RMP) originally released in January 2009, as requested by the Audit Committee at its July 2, 2013 telephonic meeting. Please consider our comments to be advisory in nature. Placing the RMP in the forefront of organizational initiatives is important evidence of leadership by the Audit Committee and Management. Proactively managing risk is a central function of organizational leadership and directly impacts LSC's ability to achieve its operations, reporting and compliance objectives. If mismanaged, risks can carry significant regulatory, financial, and reputational consequences. Overall, the OIG believes LSC should broaden its approach to risk assessment by placing a greater emphasis on a strong and dynamic internal control framework, understood by the Board, LSC Management, LSC staff, and the grantee community. 1 =Ii:LSC II Am.,;",', P."n«For Equ.l Ju.ti«

2 Larger Perspectives on Risk Management: Generally, the OIG recommends that LSC use applicable risk management guides and practices throughout the design and implementation of its risk management program. 1. Promoting a Strong System of Internal Controls The OIG recommends that LSC use an applicable internal control framework to further design its risk management program. 1 The Committee of Sponsoring Organizations of the Treadway Commission (COSO), Internal Control-Integrated Framework, dated May 2013, is comprised of five integrated components including the control environment, risk assessment, control activities (policies and procedures), information and communication, and monitoring activities. While all five components are necessary to successfully implement the framework, Information and Communication, and Monitoring Activities would greatly help the LSC address concerns of being able to exercise its responsibility for organizational risk. The OIG believes that unless such a framework is implemented by LSC, the current risk matrix could eventually meet the same fate as the 2009 matrix as Management officials and Board members change: paraphrasing one Committee member at a recent committee meeting -- The matrix was very helpful; I didn't know it existed. Three publications would be very helpful to the Corporation: 2 a. The Executive Summary to the recently revised COSO Internal Control Integrated Framework, dated May b. OMB Circular A-123-Management's Responsibility for Internal Control. c. Government Accountability Office's (GAO) Standards for Internal Control in the Federal Government. LSC's Accounting Guide for LSC Recipients already emphasizes the COSO Internal Control Framework. Adopting the COSO framework would bring LSC headquarters in agreement with both GAO and the guidance provided to the grantee community. 1 " A strong system of internal controls and oversight helps an organization to identify complications or ga ps in processes, allowi ng fo r a continuing cycle of self-improvement to enhance the efficiency and effectiveness of operations.", Fiscal Oversight Task Force (FOTF) report, July 28, 2011, page Available at https ://oi g.lsc.gov/gov/bi bliography.htm. 2

3 2. Enterprise Risk Managemene - A Larger Dynamic and Systematic Approach to Risk Assessment Further, the OIG recommends LSC use the COSO Enterprise Risk Management Integrated Framework that takes an expanded approach to internal control by including objective settings, event identification, and risk response. 3. Fiscal Oversight Task Force Report The OIG recommends that LSC incorporates the FOTF recommendations (2011) into its risk management program. The report reinforces the importance of internal control to reduce financial risks and achieve stronger fiscal grantee oversight. 4. Essential Elements in the Success of LSC's Risk Management Program Incorporating many of the components of these frameworks, the OIG recommends LSC consider applying the following: a. Strategy and Performance: LSC should identify, review and modify key risks in alignment with the LSC Strategic Plan to more integrate performance and risks. b. Dynamic Process: LSC should not limit its risk assessment to a static or periodic identification and review of key risks but rather include this process in the context of Enterprise Risk Management. Risk Management is a dynamic process that should be ingrained across all activities in the organizational structure and memorialized in policy and culture. c. Tone at the Top: LSC should continue to establish a strong "tone at the top" that stresses a sense of responsibility within all levels of the organization towards the management of risks and achievement of objectives. d. Measurement: LSC should create a series of performance and risk measures to provide the Corporation with more timely information about recent risk events as they pertain to strategic objectives. 3 "Enterprise Risk Management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potentia l events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regard ing the achievement of entity objectives ". The Committee of Sponsoring Organizations of the Treadway Committee (COSO) Enterprise Risk Management-Integrated Framework, Executive Summary, September 2004, Page 2. 3

4 e. Communication and Coordination: i. LSC should ensure relevant information is identified, managed and shared in a timely manner throughout the organization that allows all parties to carry their responsibilities. ii. As recommended by the FOTF report, LSC should create one central information management system to support sharing of grants oversight information across the oversight offices. 4 This could include a centralized risk management module as well. iii. There should be transparency and measurement in all risk management activities with accountability and consequences for failure. f. Training : LSC and its grantees need to ensure individuals across the organization have the proper knowledge and skills to manage risks to achieve mission success. 5 Risk Matrix Comments: Although the OIG supports a broader approach to LSC's risk management program, we offer the following comments on the draft risk matrix for Committee and Management consideration. 5. Further Definition Instead of categorizing risks by People, Funding, Assets and Grantees, LSC should consider aligning its risks to the LSC Strategic Plan's Goals and Initiatives. This would assist LSC's overall monitoring and management of key performance and risk areas. The OIG recommends LSC more specifically clarify and define the risks and their associated mitigation strategies throughout the risk matrix. Further, the Corporation should document the strengths and weaknesses of the strategies and determine the level of tolerance for each risk. 4 "Create a common system for the storing and viewing of appropriate information related to grantee operation s and oversight... "FOTF report, page "The governance and fiscal overs ig ht provid ed by LSC and its grantees should be supported by ind ividuals with knowledge of LSC-related risks as well as strong financial expertise." FOTF Report, page 19. 4

5 6. Additional Risk Area Considerations a. Management Systems Risks : The OIG recommends LSC review whether it has the management systems in place to achieve its goals and objectives. Several management system areas are worthy of inclusion or further strengthening within the RMP. Many of these management systems are commonly identified by the Government Accountability Office in its 2013 High Risk List of Federal Proqrams 6. I. Performance Management (failure to achieve performance of defined goals). Potential Strategy: Create a formal organizational management performance cycle including an annual management plan and quarterly reporting to help routinize the achievement of the LSC multi-year Strategic Plan 's goals and initiatives. ii. Human Capital Management (failure to attract, hire, motivate and retain high quality and innovative staff needed to carryout organizational goals and objectives; poor labor relations - including strikes). Potential Strategies: 1. Define career ladders. 2. Provide professional trainings and continuing education. 3. Implement pay for performance system. 4. Maintain open communication with the union. 5. Transition planning (at all levels). iii. Information Management (failure to collect and share vital information). Potential Strategies: 1. Create a more transparent corporate culture that expects the timely sharing of information and the breaking of information silos. 2. Perform organizational systems analysis identifying most critical information sharing needs (e.g. one common grantee oversight and risk management system). 3. Determine degree of business process maturity and reengineering needs. 4. Perform process automation requirement analysis. 5. Procure or build information systems to enhance core function execution. 6 qov/hiq hriskloverview. 5

6 iv. Cost Management (unknown waste related to insufficient cost reporting). Potential Strategy: LSC could review the managerial accounting reporting and timekeeping systems to determine if the organization would be better supported by an activity based management system (integrating budget, resources, plans, actions, costs and performance). This could allow costs (including human resource costs) of all operational projects to be visible, creating more management information potentially leading to cost savings through process improvements or eliminations. v. Acquisitions Management (higher contract costs and possible areas of fraud, waste and abuse). LSC should consider adding acquisitions management as a potential risk area both for LSC Management and Grantee Operations. Weaknesses in acquisition systems, the procurement process, policies and procedures, accountability and contracts management are all areas of possible concern. b. LSC Regulations (Risk that regulations do not clearly and effectively implement statutory requirements). To the extent it exists, ambiguity or obscurity in regulatory language and official LSC interpretations can make compliance by grantees and enforcement by the Corporation more difficult. Additionally, changing circumstances extrinsic to the rules themselves may alter the impact of rules on grantees and their effectiveness, e.g., technological changes could lead to reduced burden on grantees, other extrinsic changes lead to increased or decreased burden on grantees. c. Grant Competition (Low grantee production). The lack of an openly competitive landscape for LSC services hurts innovation and incentives to provide more efficient service delivery within the LSC funded network of grantees. Potential Strategies: LSC could review restructuring of the grants and alternative delivery strategies. d. Subgrant Oversight and Performance: This is a traditional concern area for Federal grant programs as subgrant oversight is often missed. e. Information Technology: a. Investment. (Failure to architect LSC technology initiatives portfolio to maximize returns on investments). 6

7 Potential Strategies: 1. LSC has hired a Chief Information Officer. 2. Create a national legal aid technology investment plan focusing in the highest return on investment projects and national replication. 3. Create a Board Technology Committee or Information Technology Investment Review Committee to frequently oversee this critical area in enabling LSC grantees and legal aid providers to serve more eligible persons. b. Security. There are high information security management risks at grantees (e.g., grantees are using internet based case management systems and mobile applications). Potential Strategy: LSC should review the grantees' security policies and provide guidance for protecting sensitive client and case information and other relevant organizational data. 7. Risk Probability Considerations The OIG recommends LSC review the probability and severity rankings in the following areas: a. LSC Management Leadership: Preventing Leadership Problems. There are many new senior management team members (with less than one year of LSC experience), an impending reorganization, as well as open collective bargaining negotiations; thus, an unstable environment. b. Conflicts of Interest/Ethics Violations. As noted in the FOTF report LSC should continue to identify, monitor, and disclose conflicts of interest related to staff and grantees. c. Preservation of LSC interest in grantee property (potential for loss). Beyond Human Capital, the next largest cost area in legal services is real estate. LSC's real estate interests include the preservation of LSC interest in grantee properties nationwide and the headquarters lease and potential transition to ownership. d. Major Misuse of grant funds. LSC should pay attention to all, not just major misuses of grant funds. Any misuse is an indicator of general mismanagement. e. Failure of insufficient controls. Internal controls are critical and likely not well-understood. 7